Disaster Recovery: The Cloud Changes Everything

9 Crucial Steps Toward Effective Disaster Recovery

In a recent report, Gartner delineated what distinguishes disaster recovery as a service from the more traditional type of DR service that resides on-premises within the enterprise, or one that is arranged through a private line that connects to an external provider.

One of the first IT services to catch on as coming from the cloud was disaster recovery, in part because every enterprise was looking for a site other than its own to host the backup versions of its production systems. Instead of establishing a duplicate data center in miniature, many organizations found they could use the cloud instead.

If you need an offsite facility, not exposed to the same storms, fires, or earthquakes as the primary data center, then chances are there's some location in the cloud that suits that need. A regional cloud provider in Indianapolis -- Bluelock -- found it could market disaster recovery as a service to firms on the East Coast after Hurricane Sandy.

Bluelock data centers are located in Indianapolis and Las Vegas.

On Oct. 10, Gartner named seven critical capabilities needed from disaster recovery as a service (DRaaS) providers, its second such listing. The first was in 2015. A summary and a copy of the full 2016 report, "Critical Capabilities of Disaster Recovery as a Service," can be found at Gartner's site.

"DRaaS became mainstream in 2015, with many providers experiencing double-digit revenue growth," according to the Gartner report.

Disaster recovery from the cloud isn't being treated as an experiment or pilot project. On the contrary, the report found 50,000 production systems being hosted by DRaaS in 2016, up from 30,000 at the end of 2015.

The report includes a review of 20 vendors in the field. They include such well0known names as IBM, Sunguard Availability Services, Microsoft, and VMware. But they're not always the highest-rated suppliers of DRaaS. There are lesser-known names that have specialized in the field, and have come away from the Gartner review with good grades, including Recovery Point, TierPoint, and Bluelock.

Gartner also made two predictions in the report:

Some of these large companies will failover to their infrastructure-as-a-service provider, instead of one of a number of specialized DRaaS providers. However, some will also use a managed hosting provider. But the shift to the cloud is well underway, according to Gartner analysts Ron Blair, John Morency, and Mark Thomas Jaggers, who all coauthored the report.

Defining DRaaS

What are the seven core capabilities of disaster recovery as a service? The Gartner report defines their qualities in its report.

Any disaster recovery service, no matter where it operates, has to be able to duplicate the core business production systems when called on to do so, and DRaaS providers can do so either by having a duplicate on a bare metal server or a virtual machine that can be called up from storage. Some disaster recovery systems are a hybrid of the two.

The nature of the services varies depending on how responsibility is left to the owner to remotely restore a system on his own, versus getting help from the vendor and making the recovery a hosted system being managed by the vendor.

A second critical capability is testing and declaration of a disaster. The earlier generation of disaster recovery systems were difficult to test without actually unplugging running production systems and seeing what happened. It was sometimes more disaster than recovery.

The DRaaS services allow their customers to run periodic tests with much less risk to production systems. Customers also need a speedy and well-established procedure for telling their service supplier that a disaster has occurred.

A third capability is service manageability. The customer and vendor must establish an agreed-upon recovery point objective (RPO) -- a point in time in the past to which the recovery restores all data and guarantees its integrity. Companies have been trying to find cost-effective ways to reduce the RPO from days, down to hours -- or better yet, a few minutes or seconds.

During the short time between the disaster and the RPO, both data and business may be lost. Likewise, a Recovery Time Objective (RTO) must be set that states how quickly the vendor will bring back up a failed system and establish the automation to meet it.

The fourth capability is resiliency. The DRaaS provider needs its own replicated virtual machine images and customer data to guarantee constant availability of a customer system after a failure. The built-in resiliency of a service should go so far as to provide the ability to failover the provider's data center to an alternative site.

[Want to see how one company turned to DR in the cloud? Read Cloud ROI Easy Win: Disaster Recovery.]

The fifth capability is that the provider be able to operate on a level of compliance that matches what was needed by the customer. That means setting up the DRaaS data center in such a way that it can meet the requirements of DoD 522.22-M, NIST 800-88, FISMA, HIPAA, PCI, and ITAR, among others.

The sixth capability is an ability to provide value-added services on top of basic disaster recovery. Such things as data backup and archival management services, or services specific to industry verticals like healthcare, government, or financial services. Some customers might need a mainframe or Digital Equipment Vax hardware offering, even though neither is part of the standard service offering.

The seventh capability consists of providing a satisfactory customer experience. DRaaS providers need to provide thoroughly thought-through self-service customer procedures and access to support staff when needed.

A provider may have a good recovery system, but if the customer can't find out why it's not being triggered during his failure, it's all for naught.